From 6ac842b3e8c4d4f595e20363b8bc2360faeb3fea Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Wed, 25 Jun 2025 15:59:48 +0100 Subject: [PATCH] Configure workflow permissions and enable CodeQL analysis --- .github/workflows/build-and-deploy-snapshot.yml | 2 ++ .github/workflows/ci.yml | 2 ++ .github/workflows/distribute.yml | 2 ++ .github/workflows/release-milestone.yml | 2 ++ .github/workflows/release.yml | 2 ++ .github/workflows/run-codeql-analysis.yml | 15 +++++++++++++++ .github/workflows/run-system-tests.yml | 2 ++ .github/workflows/trigger-docs-build.yml | 4 +++- 8 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/run-codeql-analysis.yml diff --git a/.github/workflows/build-and-deploy-snapshot.yml b/.github/workflows/build-and-deploy-snapshot.yml index 509e9695b69..0d5c3e3cab5 100644 --- a/.github/workflows/build-and-deploy-snapshot.yml +++ b/.github/workflows/build-and-deploy-snapshot.yml @@ -4,6 +4,8 @@ on: push: branches: - '3.4.x' +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} jobs: diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3b9a01596e3..97b1fe37dcb 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,6 +3,8 @@ on: push: branches: - '3.4.x' +permissions: + contents: read jobs: ci: name: '${{ matrix.os.name}} | Java ${{ matrix.java.version}}' diff --git a/.github/workflows/distribute.yml b/.github/workflows/distribute.yml index eebe17b4159..e8462178fe5 100644 --- a/.github/workflows/distribute.yml +++ b/.github/workflows/distribute.yml @@ -15,6 +15,8 @@ on: description: 'Version to bundle and distribute' required: true type: string +permissions: + contents: read jobs: distribute-spring-enterprise-release-bundle: runs-on: ${{ vars.UBUNTU_SMALL || 'ubuntu-latest' }} diff --git a/.github/workflows/release-milestone.yml b/.github/workflows/release-milestone.yml index 634af02776a..61d3d4107fa 100644 --- a/.github/workflows/release-milestone.yml +++ b/.github/workflows/release-milestone.yml @@ -4,6 +4,8 @@ on: tags: - v3.4.0-M[0-9] - v3.4.0-RC[0-9] +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} jobs: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b88acf895bc..5f88b17b5f7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -3,6 +3,8 @@ on: push: tags: - v3.4.[0-9]+ +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} jobs: diff --git a/.github/workflows/run-codeql-analysis.yml b/.github/workflows/run-codeql-analysis.yml new file mode 100644 index 00000000000..13962090949 --- /dev/null +++ b/.github/workflows/run-codeql-analysis.yml @@ -0,0 +1,15 @@ +name: "Run CodeQL Analysis" +on: + push: + pull_request: + workflow_dispatch: + schedule: + - cron: '0 5 * * *' +permissions: read-all +jobs: + run-analysis: + permissions: + actions: read + contents: read + security-events: write + uses: spring-io/github-actions/.github/workflows/codeql-analysis.yml@6e66995f7d29de1e4ff76e4f0def7a10163fe910 diff --git a/.github/workflows/run-system-tests.yml b/.github/workflows/run-system-tests.yml index afa746c2153..42a14a30acf 100644 --- a/.github/workflows/run-system-tests.yml +++ b/.github/workflows/run-system-tests.yml @@ -3,6 +3,8 @@ on: push: branches: - '3.4.x' +permissions: + contents: read jobs: run-system-tests: name: 'Java ${{ matrix.java.version}}' diff --git a/.github/workflows/trigger-docs-build.yml b/.github/workflows/trigger-docs-build.yml index 193cca00034..800ed79813d 100644 --- a/.github/workflows/trigger-docs-build.yml +++ b/.github/workflows/trigger-docs-build.yml @@ -12,12 +12,14 @@ on: description: 'Version being build (e.g. 1.0.3-SNAPSHOT)' required: false permissions: - actions: write + contents: read jobs: trigger-docs-build: name: Trigger Docs Build if: github.repository_owner == 'spring-projects' runs-on: ${{ vars.UBUNTU_SMALL || 'ubuntu-latest' }} + permissions: + actions: write steps: - name: Check Out uses: actions/checkout@v4